Table of Contents
Martin Smolár, a security researcher from ESET, has disclosed 3 new vulnerabilities in Lenovo UEFI. The vulnerability is impacting multiple Lenovo consumer Notebook models like Yoga, IdeaPad, and ThinkBook devices leaving millions of laptops vulnerable. These vulnerabilities allows advisories to disable UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx) all simply from an OS on the affected devices. It is highly important for all the Lenovo Laptop holders to be aware of these three vulnerabilities. We created this post that tells you how to fix the 3 new vulnerabilities in Lenovo UEFI.
Before we begin exploring the 3 New Vulnerabilities In Lenovo UEFI, it is good to learn what is UEFI, what makes it different then BIOS, and what is a Secure Boot in UEFI. Without further due let’s get started.
What Is a Secure Boot in UEFI?
Sometimes, you may get confused between UEFI and BIOS. Here is a small note that lets you know the difference between UEFI and BIOS in simple words.
UEFI is the successor to BIOS, offering a more modern interface as well as additional features and capabilities. UEFI stands for Unified Extensible Firmware Interface and is essentially a software program that sits on top of your computer’s hardware and provides an interface between the operating system and the hardware.
BIOS, on the other hand, stands for Basic Input/Output System. It is a ROM chip that stores information about your computer’s hardware and how it should be configured. The BIOS is responsible for booting up your computer, and it generally does not offer as many features or capabilities as UEFI.
So, UEFI is a more modern version of BIOS that offers additional features and capabilities. It is not required on all computers, but it is becoming more common. If your computer has UEFI, you will likely see a UEFI options menu when you boot up the computer that will allow you to change UEFI settings.
What Is a Secure Boot in UEFI?
Secure boot is a feature of UEFI that allows the system to verify the authenticity of the operating system and other software components before allowing them to be loaded and executed. This helps to ensure that only trusted software can be run on the system, and helps to prevent malicious code from being installed or executed.
In order for secure boot to work, the system must first be configured with a set of trusted digital signatures. These signatures are used to verify the authenticity of the software components that are being loaded and executed. The system will only allow software components with a valid digital signature to be loaded and executed. This helps to ensure that only trusted software can run on the system.
Summary of the 3 New Vulnerabilities in Lenovo UEFI:
On November 2021, Martin Smolár, a security researcher from ESET reported the three flaws to the PC manufacturer. The vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 let attackers to turn off Secure Boot, a feature of UEFI that allows the system to verify the authenticity of the operating system and other software components before allowing them to be loaded and executed.
Let’s see the summary of the three vulnerabilities CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432.
The vulnerability is stemmed from WMI Setup driver, which is used only during the manufacturing phase. But somehow it was mistakenly left in the production devices. This flaw allows an adversary with elevated privileges to modify Secure Boot setting by modifying an NVRAM variable.
List of Lenovo Laptops Vulnerable to the Flaws:
Lenovo has verified its Laptop modules and published the vulnerable models in its advisory report. Please don’t miss to see the list of Notebook models.
| Product | Component | CVE-2022-3430 | CVE-2022-3431 |
| D330-10IGL Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – D330-10IGL | G0CN11WW | G0CN11WW |
| IdeaPad 5 Pro 16ARH7 | BIOS Update for Windows 11 (64-bit) – IdeaPad 5 Pro 16ARH7 | J4CN33WW | J4CN33WW |
| IdeaPad 5 Pro 16IAH7 | BIOS Update for Windows 11 (64-bit) – IdeaPad 5 Pro 16IAH7 | J5CN27WW | Not Affected |
| IdeaPad Duet 3 10IGL5 | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – IdeaPad Duet 3-10IGL5 | EQCN37WW | EQCN37WW |
| Lenovo Slim 7 16ARH7 | BIOS Update for Windows 11 (64-bit) – Yoga Slim 7 Pro 16ARH7 | KLCN15WW | KLCN15WW |
| Lenovo ThinkBook 15p IMH | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo ThinkBook 15p IMH | F6CN25WW | Not Affected |
| S540-15IML Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S540-15IML | Not Affected | CNCN22WW |
| Slim 7 Pro 16ACH6 Laptop (IdeaPad) | BIOS Update for Windows 11 (64-bit) – Yoga Slim 7 Pro 16ACH6, Slim 7 Pro 16ACH6 | Not Affected | HUCN16WW |
| Slim 7-14ARE05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14ARE05, ideapad 7-14ARE05 | DMCN43WW | Not Affected |
| Slim 7-14IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14IIL05, Yoga Slim 7-15IIL05, ideapad Slim 7-15IIL05, ideapad Slim 7-14IIL05 | DHCN35WW | Not Affected |
| Slim 7-14ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14ITL05, Yoga Slim 7-15ITL05, IdeaPad Slim 7-14ITL05, IdeaPad Slim 7-15ITL05 | FBCN29WW | Not Affected |
| Slim 7-15IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14IIL05, Yoga Slim 7-15IIL05, ideapad Slim 7-15IIL05, ideapad Slim 7-14IIL05 | DHCN35WW | Not Affected |
| Slim 7-15IMH05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7 15IMH05, IdeaPad Slim 7 15IMH05, Yoga Creator 7-15IMH05 | DNCN32WW | Not Affected |
| Slim 7-15ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14ITL05, Yoga Slim 7-15ITL05, IdeaPad Slim 7-14ITL05, IdeaPad Slim 7-15ITL05 | FBCN29WW | Not Affected |
| ThinkBook 13x ITG Laptop | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – ThinkBook 13x ITG | HLCN30WW | HLCN30WW |
| ThinkBook 14 G2 ARE Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14 G2 ARE, ThinkBook 15 G2 ARE | FACN33WW | Not Affected |
| ThinkBook 14 G2 ITL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14 G2 ITL, ThinkBook 15 G2 ITL | F8CN52WW | Not Affected |
| ThinkBook 14 G3 ACL Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit)- ThinkBook 14 G3 ACL, ThinkBook 15 G3 ACL | GQCN35WW_HFCN30WW | Not Affected |
| ThinkBook 14 G3 ITL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14 G3 ITL | HRCN13WW | Not Affected |
| ThinkBook 14 G4 ABA Laptop | BIOS Update for Windows 11 (64-bit) – ThinkBook 14 G4 ABA, ThinkBook 15 G4 ABA | JPCN20WW | Not Affected |
| ThinkBook 14 G4+ ARA | BIOS Update for Windows 11 (64-bit) – ThinkBook 14 G4+ ARA, ThinkBook 16 G4+ ARA | J6CN40WW | J6CN40WW |
| ThinkBook 14 G4+ IAP Laptop | BIOS Update for Windows 11 (64-bit) – ThinkBook 14 G4+ IAP, ThinkBook 16 G4+ IAP | HYCN40WW | HYCN40WW |
| ThinkBook 14p G3 ARH | BIOS Update for Windows 11 (64-bit) – ThinkBook 14p G3 ARH | K4CN31WW | Not Affected |
| ThinkBook 14s Yoga ITL | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 14s Yoga ITL | FNCN40WW | Not Affected |
| ThinkBook 15 G2 ARE Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14 G2 ARE, ThinkBook 15 G2 ARE | FACN33WW | Not Affected |
| ThinkBook 15 G2 ITL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14 G2 ITL, ThinkBook 15 G2 ITL | F8CN52WW | Not Affected |
| ThinkBook 15 G3 ACL Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit)- ThinkBook 14 G3 ACL, ThinkBook 15 G3 ACL | GQCN35WW_HFCN30WW | Not Affected |
| ThinkBook 15 G3 ITL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14 G3 ITL | HRCN13WW | Not Affected |
| ThinkBook 15 G4 ABA Laptop | BIOS Update for Windows 11 (64-bit) – ThinkBook 14 G4 ABA, ThinkBook 15 G4 ABA | JPCN20WW | Not Affected |
| ThinkBook 15P G2 ITH | BIOS Update for and Windows 11 (64-bit) – ThinkBook 15p G2 ITH | HJCN31WW | Not Affected |
| ThinkBook 16 G4+ ARA | BIOS Update for Windows 11 (64-bit) – ThinkBook 14 G4+ ARA, ThinkBook 16 G4+ ARA | J6CN40WW | J6CN40WW |
| ThinkBook 16 G4+ IAP Laptop | BIOS Update for Windows 11 (64-bit) – ThinkBook 14 G4+ IAP, ThinkBook 16 G4+ IAP | HYCN40WW | HYCN40WW |
| ThinkBook 16p G3 ARH | BIOS Update for Windows 11 (64-bit) – ThinkBook 16p G3 ARH | KCCN31WW | Not Affected |
| ThinkBook 16p NX ARH | BIOS Update for Windows 11 (64-bit) – ThinkBook 16P NX ARH | KJCN27WW | KJCN27WW |
| ThinkBook Plus G2 ITG | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook Plus G2 ITG | GYCN31WW | GYCN31WW |
| ThinkBook Plus G3 IAP | BIOS Update for Windows 11 (64-bit) – ThinkBook Plus G3 IAP | K6CN29WW | K6CN29WW |
| Yoga Creator 7-15IMH05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7 15IMH05, IdeaPad Slim 7 15IMH05, Yoga Creator 7-15IMH05 | DNCN32WW | Not Affected |
| Yoga Duet 7-13IML05 | BIOS Update for Windows 10 (64-bit) – Yoga Duet 7-13IML05 | ERCN30WW | ERCN30WW |
| Yoga Duet 7-13ITL6 | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – Yoga Duet 7-13ITL6, Yoga Duet 7-13ITL6-LTE | GPCN24WW | GPCN24WW |
| Yoga Duet 7-13ITL6-LTE | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – Yoga Duet 7-13ITL6, Yoga Duet 7-13ITL6-LTE | GPCN24WW | GPCN24WW |
| Yoga Slim 7 Carbon 13ITL5 (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Carbon 13ITL5, Yoga slim 7-13ITL05 | Not Affected | F7CN39WW |
| Yoga Slim 7 Pro 16ACH6 Laptop (IdeaPad) | BIOS Update for Windows 11 (64-bit) – Yoga Slim 7 Pro 16ACH6, Slim 7 Pro 16ACH6 | Not Affected | HUCN16WW |
| Yoga Slim 7 Pro 16ARH7 | BIOS Update for Windows 11 (64-bit) – Yoga Slim 7 Pro 16ARH7 | KLCN15WW | KLCN15WW |
| Yoga Slim 7-13ACN05 Laptop (ideapad) | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – Yoga Slim 7-13ACN05 | Not Affected | GHCN28WW |
| Yoga Slim 7-13ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Carbon 13ITL5, Yoga slim 7-13ITL05 | Not Affected | F7CN39WW |
| Yoga Slim 7-14ARE05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14ARE05, ideapad 7-14ARE05 | DMCN43WW | Not Affected |
| Yoga Slim 7-14IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14IIL05, Yoga Slim 7-15IIL05, ideapad Slim 7-15IIL05, ideapad Slim 7-14IIL05 | DHCN35WW | Not Affected |
| Yoga Slim 7-14ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14ITL05, Yoga Slim 7-15ITL05, IdeaPad Slim 7-14ITL05, IdeaPad Slim 7-15ITL05 | FBCN29WW | Not Affected |
| Yoga Slim 7-15IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14IIL05, Yoga Slim 7-15IIL05, ideapad Slim 7-15IIL05, ideapad Slim 7-14IIL05 | DHCN35WW | Not Affected |
| Yoga Slim 7-15IMH05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7 15IMH05, IdeaPad Slim 7 15IMH05, Yoga Creator 7-15IMH05 | DNCN32WW | Not Affected |
| Yoga Slim 7-15ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7-14ITL05, Yoga Slim 7-15ITL05, IdeaPad Slim 7-14ITL05, IdeaPad Slim 7-15ITL05 | FBCN29WW | Not Affected |
| ideapad 5 Pro-16ACH6 Laptop | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – IdeaPad 5 Pro-16ACH6, IdeaPad Creator 5-16ACH6 | Not Affected | GSCN34WW |
| ideapad 5 Pro-16IHU6 Laptop | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – IdeaPad 5 Pro-16IHU6 | Not Affected | GRCN22WW |
| ideapad Creator 5-16ACH6 Laptop | BIOS Update for Windows 11 (64-bit) and Windows 10 (64-bit) – IdeaPad 5 Pro-16ACH6, IdeaPad Creator 5-16ACH6 | Not Affected | GSCN34WW |
How to Fix the 3 New Vulnerabilities in Lenovo UEFI?
Upgrading the firmware in Lenovo Laptops is the best way to fix these new vulnerabilities.
BIOS can be updated in three different ways in Lenovo Laptops.
Method 1: Automatic Update
Update Lenovo drivers, BIOS, and applications using Lenovo System Update. Lenovo System Update is the latest program that can be used to update your Lenovo laptop drivers and other software. It can also detect when there are new versions of the BIOS and automatically install them.
To check if your Lenovo laptop has this feature, go to Start Menu > Control Panel > System and Security. Click on “System” and then click on “Advanced system settings.” On the left panel, click on “Advanced” and then click on “Update BIOS.”
If you see the “Update BIOS” option, your Lenovo laptop has the Lenovo System Update feature. If you don’t see this option, your Laptop doesn’t have this feature, and you’ll need to install the BIOS updates manually.
Method 2: WinFlash
To use Winflash to install a BIOS update:
Download the most recent BIOS to your Windows desktop for easier usage. To locate and download the BIOS, follow these steps: Open the Lenovo support website (support.lenovo.com).
Enter the system machine type or product name. On the product page, click Drivers & Software. Filter by BIOS/UEFI, and choose the corresponding OS information.
Follow the instructions in the readme file to download and install the BIOS. Right-click on the BIOS flash package and select Run as administrator.
A self-extracting window will appear on Windows, and you should click the Install button. Then click on the Flash BIOS button. A caution screen will appear to notify users to connect the system’s power outlet and supply additional flash information.
Select the OK button. The BIOS update flashing program will automatically run. Please wait until the BIOS update flashing program has finished installation. When the BIOS update is completed, your computer reboots automatically.
Method 3: Update BIOS From Windows
Updating BIOS from Windows is simple and straight. Steps to update system BIOS in Lenovo Laptops:
Visit the official Lenovo website and download the BIOS update file.
Extract the downloaded file to a folder on your computer.
Double-click on the extracted BIOS file to launch the update process.
Follow the on-screen instructions to complete the BIOS update process.
Restart your computer and check if the BIOS update is successful.
These are the steps to update the system BIOS in Lenovo Laptops. Following these steps should help you update your BIOS successfully. In case you face any issues, please reach out to the Lenovo support team for assistance.
We hope this post would help you know how to fix the 3 new vulnerabilities in Lenovo UEFI. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
